Competitive Edge through Privacy by Design

Why the move to GDPR may help disruptors to create new competitive advantages?

The GDPR has, in some people’s opinions, exponentially increased the burden of ensuring privacy of personal data and as appropriate, providing robust data security. With many exploring the impact of GDPR and some developing their detailed response, it is clear that the necessary changes to their business enterprise, together with the burden for them to develop or incorporate certain trust, privacy and security measures, is much higher than under previous regulations (accompanied by greater fines equaling 4% of the global turnover or €20m).

This may seem like a little ‘doom and gloom’ and many have interpreted the GDPR this way. However, with every new sanction and stipulation imposed by the EU there comes the prospect of advantages and business opportunities. And while there may be some who think that the GDPR is a hindrance, my personal view is that it may represent a great opportunity to create a new, and genuine competitive advantage.

Time to clean up your ‘data act’

In order to be compliant, organisations impacted will need to get to grips with their data and information. Cleaning up multiple instances, understanding who owns what, where it’s stored and the extent to which they are compliant with central tenets of the GDPR. Key here is having a ‘legitimate interest’ in the data or explicit consent. It does the business no good to have a huge list if the data is from individuals who are not relevant to the business or have not consented to use of their data.

“We’re all going to have to change how we think about data protection.” Elizabeth Denning, UK Information Commissioner

Despite this leading to the potential for technical resources in such circumstances, if the individuals are on your servers, they are still entitled to the same measure of data protection that new and relevant individuals are. This creates a superfluous amount of time and effort which must be dedicated to ensuring that the unnecessary data meets the requirements of the GDPR and remains private and secure.

So how does this lead to an increase in competitive edge?

Well let’s start with the more obvious opportunity – the upside risk. Clean up your data, reduce instances of duplicate data, be certain of your trust, privacy and security management practices, enhance governance, increase training and awareness, test your IT security and just get it right. Do this and the business will undoubtedly reduce the prospects of falling foul of the regulation and fines and thus can pursue business as usual whilst others fend off a whole swath of new subject access requests, incidents of breach and requests for data to be modified, erased or data subjects requesting you forget them.

But this is just the start.

“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.” Elizabeth Denning, UK Information Commissioner

GDPR can help to boost transparency

While the premise of the GDPR is privacy and the security of data, specifically personal information and how it is obtained, processed, stored and distributed, it can also be used as a means of enhancing organisational transparency. Think about it this way, who would you rather do business with or be employed by? Someone taking GDPR seriously or an organisation doing little more than paying lip service to the regulation.

From a stakeholder perspective, it should be regarded with the same weighting as honesty, integrity and the ethical stance of the business. And that in its own right can enhance your reputation and help create competitive edge. This of course whilst helping to avoid the hefty fines for non-compliance or data breaches!

“Consumers and citizens have stronger rights to be informed about how organisations use their personal data.” Elizabeth Denning, UK Information Commissioner

The Truth will set you apart

Trust and empowerment are major issues in today’s world of commerce. Companies will need to specify the nature for obtaining data – its legitimate interest or legal purpose. If an organisation sets out the purpose together with statements about the probity, governance and security of such data, this should have the effect of making clear that the business intends to act with the very best practice approach to GDPR. Once again, who would you rather do business with? Of course, much of this depends not just on ‘talking the talk’, but also ‘walking the talk’!

“Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.” Elizabeth Denning, UK Information Commissioner

So… apart from the necessity for a business to have loyalty and trust from using a secure and reputable means of achieving GDPR compliance, it is also important, if not more so, to establish a level of trust through tangible results. You cannot simply claim to have good security, but you must show that you are secure against breaches, that your data cannot be easily hacked and that you have measures in place that should a breach occur, the impact will not be devastating to the customer, client, employee or other stakeholder of your business. It does not matter what size or level of business maturity, actions speak louder than proclamations. Ensure you build trust through what you can actually do, not what you claim to be able to do! For many, this may be best achieved through service audit reviews and third party stress testing. But the benefits could be dramatic – with so many struggling to ‘get their ducks in a row’ around GDPR, those taking the lead will no doubt have something to shout about.

Marketing your GDPR position before others obtain momentum

It is inevitable that businesses will need to develop GDPR management practices to be compliant with the EU stipulations. It is perhaps also inevitable that this may, for some organisations, take a considerable amount of their time, effort and attention.

Because of this, businesses who take the early initiative and gain some form of third party certification that they are compliant will have a first mover advantage. This may translate into marketing advantage. Maybe this is a new form of disruption? Disruption through compliance?

According to a survey by Veritas, only 4% of businesses indicated that they had nothing to worry about with GDPR

Whatever the degree of disruption this affords, it is clear that as all impacted organisations wake up to the need to comply, they will explore their third-party agreements and terms and conditions of service, and many will use this as an opportunity to consider those suppliers and vendors also willing to comply, and those who are not. In such circumstances, I can only suspect that this will lead to further opportunities to raid your competition’s client base. An example here is with recruiters. With liability being ‘joint and several’, you will almost certainly want to know where the recruiter obtained personal information from and that they hold appropriate, explicit consent to hold and process the data. But you will also need to look at the recruiter’s agreement to ensure that you are appropriately ‘held harmless’ (in so far as is possible) for those circumstances where issues may arise. I am already hearing from many HR functions planning to test GDPR compliance with recruiters on their preferred supplier lists!

Whatever happens, there are good reasons why GDPR has come about and it shouldn’t be ignored. Do it right, do it properly and shout about it to create real competitive edge.